Crime pays on the Web, especially when the target is a financial institution.

Brokerage and regulatory officials say that cyberfraud has become a huge problem for brokerages, exchanges and the entire financial services industry — and can only get worse without more vigilance.

In a new white paper, financial-services firm First Clearing found that cyberfraud losses in 2011 alone came to $388 billion. And that makes cybercrime “larger than the global markets in marijuana, cocaine and heroin combined,” according to the paper, “Getting Serious About Cyber Risk.”

Indeed, cybercrime constitutes about half of all the fraud reported in the financial services sector, according to a recent worldwide survey by PricewaterhouseCoopers UK (PwC UK).

Some of the other findings of the PwC survey:

Thirty-four percent of respondents experienced some economic crime in the last 12 months.

Almost 1 in 10 who reported fraud suffered a loss of more than $5 million.

FDIC Regulation E (Sec. 205.6) limits how much the client will have to pay in the case of cyberfraud through unauthorized transfers.

If a client notifies the brokerages within 48 hours, the client is only liable for $50 of losses. After that, it’s $500. The rest of the liability belongs to the financial institution.

“Although consumers are well protected, corporations are not. When it comes to commercial liability, Regulation E sets no limits,” according to the First Clearing report. “Should one of your clients become the victim of cyber fraud, your financial institution is expected to absorb the losses in excess of the consumer’s protection limits.”

But how can a firm defend itself — and its clients — against these cyber crooks?

“The best, most effective way to measure or implement an appropriate security posture,” said the First Clearing report, “is to undertake a guided third-party risk assessment. If an attacker were probing your defenses today, are you comfortable you would even know [about it]?”

Most attacks against both large and small businesses are crimes of opportunity, according to First Clearing executives.

This means that the foremost reason an attacker chooses a particular firm is simple vulnerability.